University of Surrey invents "all in one" authentication technique

Guildford, Surrey

The University of Surrey has developed an innovative ‘all in one’ password system that will allow users to use their face, eyes or fingerprints – alongside or instead of word-based systems – on their work or home computers.

The technology will allow users to generate much more complicated but still easy-to-remember passwords. This means that passwords will be significantly harder to crack, because hackers will not only have to break the password, they will also have to work out the format and composition of the password itself.

The new technology, named Pass∞ (pronounced Passinfinity), can be completely backward-compatible with existing computer systems, meaning it could be easily added to all systems immediately with little or without any changes to existing infrastructure.

Pass∞ has been invented by the Department of Computer Science’s Dr Shujun Li and his PhD student Miss Nouf Aljaffan. It will not only make it easier for organisations and service providers to implement and maintain user authentication systems, but will also empower users with the ability to combine many different authentication actions for proving their identities.

It will do so while preserving the overall user experience with text-based passwords, biometrics-based user authentication systems (such as face, iris, fingerprint based systems) and multi-factor user authentication systems.

One of the many features Pass∞ can offer is user-friendly free combinations of multiple authentication actions such as entering normal passwords, styling some characters, selecting a picture, clicking some points on a picture, drawing something on a picture, showing your face in front of a webcam, and even adding the user’s current geo-locations.

Other features Pass∞ provides include high modularity and backward compatibility so that minimum or even no changes are needed to add new and to reconfigure existing user authentication modules, thus drastically simplifying transitions from old authentication systems to new ones and for maintenance of existing systems.

Dr Shujun Li, a Deputy Director of Surrey Centre for Cyber Security (SCCS) and co-inventor of Pass∞, said: “This is definitely among the biggest ideas and the most exciting research work I have been working on at the University of Surrey for over five years. What makes the idea unique is the big contrast between the simplicity of the solution and how it solves many hard problems around passwords and user authentication in general. The new technology, which is in its final stages of development, will give both end users and organisations a simple and easy to use system that has great flexibility and agility to incorporate all known user authentication factors and many (if not all) known systems in a single framework and user interface.”

The inventors believe that Pass∞ has a great potential to increase both the security and the usability of passwords significantly as a much longer password can be generated from a shorter sequence of authentication actions which are easy to remember.

In addition, Pass∞ can be deployed at either server or client side. When implemented at the client side, for instance on users' mobile phones or personal computers, it can be developed as an advanced “password manager” and/or a web browser extension, thus allowing it to work with any remote servers. When it is deployed at the server side, the server can provide more options to end users, e.g., allow them to decide what biometric authentication actions (face, fingerprints, speech, iris, etc.) to choose and how to combine them.

The University of Surrey has filed a patent application on the new technology. The Pass∞ team at the University of Surrey, in partnership with tech transfer specialists Crossword Cybersecurity plc, is currently conducting some market research and keen to hear about the public’s feedback on the project and to share their thoughts on the new technology.